# Copyright 2020 HAProxy Technologies LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Default values for HAProxy
## Configure Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
annotations: {}
create: true
name:
automountServiceAccountToken: true
## Override namespace for for the whole chart
## If namespaceOverride is set, helm will use it's value instead of .Release.Namespace for all chart components.
## It is useful in case Haproxy is used as a dependency for another helm chart. Value can be overridden in parent chart values.yaml
## Example values.yaml of parent chart:
# namespaceOverride: haproxytech
## Default values for image
image:
repository: docker.io/haproxytech/haproxy-alpine # can be changed to use CE or EE images
tag: "" # overrides the image tag whose default is the chart appVersion
pullPolicy: IfNotPresent
## Automatically Roll Deployments
# ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksumConfigMap:
enabled: true
## Share Process Namespace between Containers in a Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/
shareProcessNamespace:
enabled: false
## Pods: How Pods manage multiple containers
# ref: https://kubernetes.io/docs/concepts/workloads/pods/#workload-resources-for-managing-pods
# ref: https://kubernetes.io/docs/concepts/workloads/pods/#how-pods-manage-multiple-containers
sidecarContainers: []
## Reflex
# ref: https://github.com/cespare/reflex
# ref: https://hub.docker.com/r/acim/go-reflex
# - name: reflex
# image: acim/go-reflex:1.17.3
# command: ["reflex", "-d", "fancy"]
# workingDir: /usr/local/etc/haproxy
# args:
# - -svr
# - "..data"
# - --
# - bash
# - -c
# - 'pkill -SIGUSR2 "haproxy|hapee-lb"'
# ports:
# - name: tcp
# containerPort: 3000
# protocol: TCP
# imagePullPolicy: IfNotPresent
# volumeMounts:
# - name: haproxy-config
# mountPath: /usr/local/etc/haproxy
# resources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 50m
# memory: 64Mi
## Deployment or DaemonSet pod mode
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
kind: Deployment # can be 'Deployment' or 'DaemonSet'
replicaCount: 1 # used only for Deployment mode
## minReadySeconds setting of Deployment or DaemonSet
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 0
## Command line arguments to pass to HAProxy
args:
enabled: true # EE images require disabling this due to S6-overlay
# ref: http://cbonte.github.io/haproxy-dconv/2.6/management.html#3
defaults: ["-f", "/usr/local/etc/haproxy/haproxy.cfg"]
extraArgs: [] # EE images require disabling this due to S6-overlay
## Annotations to add to the deployment metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
deploymentAnnotations: {}
# key: value
deploymentLabels: {}
# key: value
## Controller Container liveness/readiness probe configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
{}
# failureThreshold: 3
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 10
readinessProbe:
{}
# failureThreshold: 3
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 10
startupProbe:
{}
# failureThreshold: 20
# successThreshold: 1
# initialDelaySeconds: 0
# timeoutSeconds: 1
# tcpSocket:
# port: 80
# periodSeconds: 1
## DaemonSet configuration
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
daemonset:
useHostNetwork: false # also modify dnsPolicy accordingly
useHostPort: false
hostPorts:
http: 80
https: 443
stat: 1024
## Init Containers
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: sysctl
# image: "busybox:musl"
# command:
# - /bin/sh
# - -c
# - sysctl -w net.core.somaxconn=65536
# securityContext:
# privileged: true
## Pod termination grace period
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
terminationGracePeriodSeconds: 60
## Private Registry configuration
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imageCredentials:
registry: null # EE images require setting this
username: null # EE images require setting this
password: null # EE images require setting this
existingImagePullSecret: null
## Container listener port configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
containerPorts: # has to match hostPorts when useHostNetwork is true
http: 80
https: 443
stat: 1024
## Raw container ports configuration (alternative to containerPorts for more control)
## Allows specifying container ports in full Kubernetes format with custom protocols, names, etc.
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#containerport-v1-core
rawContainerPorts: []
# Example:
# - containerPort: 9090
# name: metrics-port
# protocol: TCP
# - containerPort: 8080
# name: custom-http
# protocol: TCP
## Deployment strategy definition
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
strategy: {}
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
## Pod PriorityClass
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
## Container lifecycle handlers
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
## Example preStop for graceful shutdown
# preStop:
# exec:
# command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"]
## Additional envs to the main container
extraEnvs: []
## Example passing the pod IP into a container
# - name: POD_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
## Use envFrom to add env vars from a secret or ConfigMap to the HAProxy container
## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
extraEnvFrom: []
## Example passing the pod IP into a container
# - configMapRef:
# name: ha-env-config
## Additional volumeMounts to the controller main container
extraVolumeMounts: []
## Example empty volume mounts when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# mountPath: /etc/haproxy
# - name: tmp
# mountPath: /tmp
# - name: var-state-haproxy
# mountPath: /var/state/haproxy
## Additional volumes to the controller pod
extraVolumes: []
## Example empty volumes when using securityContext->readOnlyRootFilesystem
# - name: etc-haproxy
# emptyDir: {}
# - name: tmp
# emptyDir: {}
# - name: var-state-haproxy
# emptyDir: {}
## HAProxy daemon configuration
# ref: https://www.haproxy.org/download/2.6/doc/configuration.txt
config: |
global
log stdout format raw local0
maxconn 1024
defaults
log global
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
bind :80
default_backend be_main
backend be_main
server web1 10.0.0.1:8080 check
# Mount path and sub path for config file
configMount:
mountPath: /usr/local/etc/haproxy # EE images use /etc/hapee-VERSION/hapee-lb.cfg
subPath: "" # EE images use hapee-lb.cfg
## Basic features : Maps
# ref: http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#7.3.1-map
# ref: http://cbonte.github.io/haproxy-dconv/2.6/intro.html#3.3.8
includes:
# routes.map: |
# www.example.com/v1 www.example2.com/v2
# api.example.com/v1 api.example2.com/v2
# static.example.com/v1 static.example2.com/v2
# 200.http: |
# HTTP/1.1 200 OK
# Cache-Control: no-cache
# Connection: close
# Content-Type: text/html
# 200 OK
# Check passed.
#
## Mount path for includes and maps
includesMountPath: /usr/local/etc/haproxy/includes # EE images use /etc/hapee-VERSION
## Additional secrets to mount as volumes
## This is expected to be an array of dictionaries specifying the volume name, secret name and mount path
mountedSecrets: []
# - volumeName: ssl-certificate
# secretName: star-example-com
# mountPath: /usr/local/etc/ssl
## Pod Node assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
## Node Taints and Tolerations for pod-node cheduling through attraction/repelling
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
## Node Affinity for pod-node scheduling constraints
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Topology spread constraints (only used in kind: Deployment)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: kubernetes-ingress
# app.kubernetes.io/instance: kubernetes-ingress
## Pod DNS Config
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
dnsConfig: {}
## Pod DNS Policy
## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ClusterFirst
## Additional labels to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# key: value
## Additional annotations to add to the pod container metadata
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# key: value
## Enable RBAC Authorization
## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
rbac:
create: true
## Disableable use of Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
annotations: {}
## Specify pod annotations
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
### WARNING!!! "Apparmor is only available Ubuntu/Debian distributions of Linux."
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
enabled: false
# ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
# Enable only when added kublet arg: --allowed-unsafe-sysctls strings
allowedUnsafeSysctls:
# - net.*
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
### ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
### Sysctls enable only when added kublet arg: --allowed-unsafe-sysctls strings
# sysctls:
# - name: net.ipv4.tcp_rmem
# value: 4096 16060 262144
# - name: net.ipv4.tcp_wmem
# value: 4096 16384 262144
# - name: net.ipv4.tcp_tw_reuse
# value: "1"
# - name: net.ipv4.ip_local_port_range
# value: 1024 65023
# - name: net.ipv4.tcp_max_syn_backlog
# value: "60000"
# - name: net.ipv4.tcp_fin_timeout
# value: "30"
# - name: net.ipv4.tcp_synack_retries
# value: "3"
# - name: net.ipv4.ip_nonlocal_bind
# value: "1"
# - name: net.core.somaxconn
# value: "60000"
## Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext: {}
# enabled: true
# runAsNonRoot: true
# runAsUser: 1000
# runAsGroup: 1000
# allowPrivilegeEscalation: true
# capabilities:
# drop:
# - ALL
# add:
# - NET_BIND_SERVICE
# seccompProfile:
# type: RuntimeDefault
## Compute Resources
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
resources:
# limits:
# cpu: 250m
# memory: 128Mi
requests:
cpu: 250m
memory: 128Mi
## Horizontal Pod Scaler
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 7
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# additionalMetrics:
# - type: Object
# object:
# metric:
# name: requests-per-second
# describedObject:
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# name: main-route
# target:
# type: Value
# value: 10k
## Behavior
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 3600
keda:
enabled: false
minReplicas: 2
maxReplicas: 20
pollingInterval: 30
cooldownPeriod: 300
restoreToOriginalReplicaCount: false
# fallback:
# failureThreshold: 3
# replicas: 6
# behavior: static
scaledObject:
annotations: {}
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Percent
# value: 100
# periodSeconds: 15
triggers: []
# - type: prometheus
# metadata:
# serverAddress: http://:9090
# metricName: haproxy_process_idle_time_percent
# threshold: '50'
# query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m]))
## Pod Disruption Budget
## Only to be used with Deployment kind
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
PodDisruptionBudget:
enable: false
# maxUnavailable: 1
# minAvailable: 1
## Service configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
service:
type: ClusterIP # can be 'ClusterIP', 'NodePort', 'LoadBalancer'
## Service ClusterIP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
clusterIP: ""
## LoadBalancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
## Source IP ranges permitted to access Network Load Balancer
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
loadBalancerSourceRanges: []
## Service ExternalIPs
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
externalIPs: []
## Service annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
## Service labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## IPv4/IPv6 dual-stack
## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
##
# ipFamilies: [IPv4, IPv6]
# ipFamilyPolicy: PreferDualStack
## Service externalTrafficPolicy
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy
# externalTrafficPolicy: Cluster
## Service internalTrafficPolicy
## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/
# internalTrafficPolicy: Cluster
## Additional Service ports to use(e.g. port of side container haproxy exporter)
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
additionalPorts: {}
# prometheus: 9101
## Raw additional service ports configuration (alternative to additionalPorts for more control)
## Allows specifying service ports in full Kubernetes format with custom protocols, names, etc.
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#serviceport-v1-core
rawAdditionalPorts: []
# Example:
# - name: metrics-port
# port: 9090
# targetPort: 9090
# protocol: TCP
# - name: custom-service
# port: 8080
# targetPort: custom-http
# protocol: TCP
## NodePort custom port
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport-custom-port
nodePorts: {}
# http: 32080
# https: 32443
serviceMonitor:
## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured
enabled: false
## Specify the labels to add to the ServiceMonitors to be selected for target discovery
extraLabels: {}
## Specify the endpoints
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor
endpoints:
- port: prometheus
path: /metrics
scheme: http
interval: 30s
## Configure Ingress
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
servicePort: 80
## Ingress class
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
className: ""
## Ingress labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
labels: {}
## Ingress annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Ingress hosts
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
hosts:
- host: haproxy.domain.com
paths:
- path: /
pathType: ImplementationSpecific
## Ingress TLS
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
tls: []
# - secretName: chart-example-tls
# hosts:
# - haproxy.domain.com
# -- Expose the service via gateway-api HTTPRoute
# Requires Gateway API resources and suitable controller installed within the cluster
# (see: https://gateway-api.sigs.k8s.io/guides/)
httpRoute:
# HTTPRoute enabled.
enabled: false
# HTTPRoute servicePort to route to
servicePort: 80
# HTTPRoute labels
labels: {}
# HTTPRoute annotations.
annotations: {}
# Which Gateways this Route is attached to.
parentRefs:
- name: gateway
sectionName: http
# namespace: default
# Hostnames matching HTTP header.
hostnames:
- chart-example.local
# List of rules and filters applied.
rules:
- matches:
- path:
type: PathPrefix
value: /
# filters:
# - type: RequestHeaderModifier
# requestHeaderModifier:
# set:
# - name: My-Overwrite-Header
# value: this-is-the-only-value
# remove:
# - User-Agent
# - matches:
# - path:
# type: PathPrefix
# value: /echo
# headers:
# - name: version
# value: v2